Word's password feature 'not a security tool'
Munir Kotadia
ZDNet UK
January 07, 2004, 17:40 GMT

Microsoft has hit back at critics of Word's password-protect feature, which the company has admitted is not safe from hackers.

The tool is intended to make collaboration easier, Microsoft told ZDNet UK, explaining that users should invest in digital signatures or an Adobe Acrobat-type application if they want security.

A set of relatively simple instructions on how to bypass the security of a password-protected Word document was published on the Internet on Friday. Thorsten Delbrouck, chief information officer of German security company Guardeonic Solutions, informed Microsoft about the vulnerability in November 2003. A week later, Microsoft updated its Knowledge Base to warn users that the feature should not be used for security purposes.

David Bennie, Microsoft UK's Office product marketing manager, told ZDNet UK that although Word's password protection is useful for collaborating with colleagues, it is not a security feature and should not be relied upon as such.

"If [users] are using it as a security feature then that is not correct," said Bennie. He agreed that if a company wanted to transport documents securely, they should either use digital certificates or an application like Adobe Acrobat that can "lock down" the document.

"If you are looking for secure encryption you should not be using this feature. We have lots of customers out there using password protection, but the reason they are doing that is to stop general users changing the text or whatever -- and it works perfectly well for that," said Bennie.

However, Delbrouck believes Microsoft is attempting to play down the problem because it cannot be fixed. "I doubt there is much they can do about it, because they have to be backwards-compatible with their file format, which keeps changing," he said. "I think the only possible solution for them was to play down the problem."